Systems and methods for navigating vehicles with redundant navigation systems

ABSTRACT

Systems, methods, and non-transitory computer-readable media can receive sensor data providing information about an environment surrounding a vehicle to a first computing system and a second computing system associated with the vehicle, wherein the first computing system and the second computing system are each capable of generating navigation instructions for the vehicle based on the received sensor data. A first planned trajectory is determined based on the sensor data by the first computing system. The vehicle is navigated by the first computing system based on the first planned trajectory. Control of the vehicle is transitioned from the first computing system to the second computing system based on a failure associated with the first computing system. An emulated trajectory is determined based on data describing a current motion of the vehicle by the second computing system. The vehicle is navigated by the second computing system based on the emulated trajectory.

FIELD OF THE INVENTION

The disclosed technology relates to navigation systems. Moreparticularly, the disclosed technology relates to systems, apparatus,and methods for managing operation of vehicles with redundant vehiclenavigation systems.

BACKGROUND

Vehicles are increasingly being equipped with intelligent features thatallow them to monitor their surroundings and make informed decisions onhow to navigate. Such vehicles, whether autonomously orsemi-autonomously driven, may be capable of sensing their environmentand navigating with little or no human input as appropriate. A vehiclemay include a variety of systems and subsystems for enabling the vehicleto determine its surroundings so that it may safely navigate to targetdestinations. As one example, the vehicle may have a computing system(e.g., one or more central processing units, graphical processing units,memory, storage, etc.) for controlling various operations of thevehicle, such as driving and navigating. To that end, the computingsystem may process data from one or more sensors and, based on the data,provide navigation instructions (e.g., turn left, turn right, slow down,etc.) for the vehicle.

SUMMARY

Various embodiments of the disclosed technology can include systems,methods, and non-transitory computer readable media configured toreceive sensor data from a plurality of sensors configured to provideinformation about an environment surrounding a vehicle to at least afirst computing system and a second computing system associated with thevehicle, wherein the first computing system and the second computingsystem are each capable of generating navigation instructions for thevehicle based at least in part on the received sensor data. A firstplanned trajectory is determined based on the sensor data by the firstcomputing system. The vehicle is navigated by the first computing systembased on the first planned trajectory. Control of the vehicle istransitioned from the first computing system to the second computingsystem based on a failure associated with the first computing system. Anemulated trajectory is determined based on data describing a currentmotion of the vehicle by the second computing system. The vehicle isnavigated by the second computing system based on the emulatedtrajectory.

In an embodiment, a second planned trajectory is determined based on thesensor data by the second computing system.

In an embodiment, the emulated trajectory is generated faster than atime required for the second computing system to generate a new plannedtrajectory from the sensor data.

In an embodiment, the emulated trajectory is an extrapolation of vehiclemotion as indicated by current state of at least one vehicle motioncontrol component.

In an embodiment, the failure is determined by at least one healthmonitor associated with the first computing system.

In an embodiment, the failure is detected by the health monitor, and inresponse, control of the vehicle is transitioned to the second computingsystem based on the failure. The first computing system is a primarycomputing system and the second computing system is a backup computingsystem.

In an embodiment, the first computing system does not provide the secondcomputing system with the first planned trajectory.

In an embodiment, the at least one vehicle motion control component isconfigured to control at least one of a brake, an accelerator, anengine, or a steering wheel, and wherein the emulated trajectory isdetermined based on information provided by the at least one vehiclemotion control component.

In an embodiment, the extrapolation is a linear extrapolation determinedbased on parameters associated with the vehicle motion controlcomponents including at least one of angle, power, speed, torque, orderivatives of the parameters.

In an embodiment, the linear extrapolation reflects an instantaneousvelocity of the vehicle the time of the transition of control.

It should be appreciated that many other features, applications,embodiments, and variations of the disclosed technology will be apparentfrom the accompanying drawings and from the following detaileddescription. Additional and alternative implementations of thestructures, systems, non-transitory computer readable media, and methodsdescribed herein can be employed without departing from the principlesof the disclosed technology.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A-1B illustrate example scenarios demonstrating variouschallenges that may be experienced with conventional approaches.

FIG. 2 illustrates an example configuration of conventional redundantnavigation systems.

FIG. 3A illustrates an example functional block diagram of a vehiclesystem, according to an embodiment of the disclosed technology.

FIG. 3B illustrates example planned and emulated vehicle trajectories,according to an embodiment of the disclosed technology.

FIG. 4 illustrates example timelines for demonstrating differencesbetween conventional technology and an embodiment of the disclosedtechnology.

FIG. 5 illustrates an example method, according to an embodiment of thedisclosed technology.

FIG. 6 illustrates an example block diagram of a transportationmanagement environment, according to an embodiment of the disclosedtechnology.

FIG. 7 illustrates an example of a computer system or computing devicethat can be utilized in various scenarios, according to an embodiment ofthe disclosed technology.

The figures depict various embodiments of the disclosed technology forpurposes of illustration only, wherein the figures use like referencenumerals to identify like elements. One skilled in the art will readilyrecognize from the following discussion that alternative embodiments ofthe structures and methods illustrated in the figures can be employedwithout departing from the principles of the disclosed technologydescribed herein.

DETAILED DESCRIPTION

Vehicles are increasingly being equipped with intelligent features thatallow them to monitor their surroundings and make informed decisions onhow to navigate. Such vehicles, whether autonomously orsemi-autonomously driven, may be capable of sensing their environmentand navigating with little or no human input. A vehicle may include avariety of systems and subsystems for enabling the vehicle to determineits surroundings so that it may safely navigate to target destinations.As one example, the vehicle may have a computing system (e.g., one ormore central processing units, graphical processing units, memory,storage, etc.) for controlling various operations of the vehicle, suchas driving and navigating. To that end, the computing system may processdata from one or more sensors and, based on the data, provide navigationinstructions (e.g., turn, slow down, etc.) for the vehicle. However, thecomputing system or its subsystems may experience a hardware or softwarefailure that prevents the computing system from safely navigating thevehicle. One approach to address this problem is to build redundancyinto navigation systems. For example, a vehicle can include a primarynavigation system and a backup navigation system that can each operateindependently to enable the vehicle to determine its surroundings sothat it may safely navigate to target destinations. In this example, thebackup navigation system can assume control of the vehicle when theprimary navigation system experiences a hardware or software failure.However, building redundant navigation systems into a vehicle raises newchallenges that involve coordinating and transitioning operation of thevehicle among the redundant navigation systems. For example, oneconventional approach for managing redundant navigation systems in avehicle is to ensure that the navigation systems are identical withrespect to hardware configuration and are bit-identical. Ideally, eachnavigation system would process sensor data obtained by the vehicle andprovide identical navigation trajectories for the vehicle at all times.In other words, the navigation systems would independently receive thesame sensor data, process the sensor data in the same manner, and arriveat the same trajectory for navigating the vehicle at all times. In thisconventional approach, if one navigation system in the vehicle fails,control of the vehicle can transition to the other navigation systemwhich proceeds to navigate the vehicle along the same trajectory as ifno failure had occurred. Thus, the identically navigation systems cansatisfy a continuity constraint requirement while allowing seamlesstransitioning between the navigation systems. However, such identicalredundancy comes with substantial challenges involving systemengineering and operation that render this conventional approachimpractical or uneconomical. For example, a bit-identical setup demandsa highly constrained execution environment. Such highly constrainedexecution environment comes with various disadvantages. For one, thehighly constrained execution environment has little to no errortolerance as it is particularly challenging to use diverse sensors anddiverse algorithms that can effectively address common cause failures.For another, the highly constrained execution environment must be veryrestrictive to guarantee bit-identical execution, thus significantlyburdening overall performance of the navigation systems. As a result,conventional approaches typically implement non-identical vehiclenavigation systems and therefore accept that different vehiclenavigation systems associated with a vehicle may plan and implementdifferent trajectories for navigating the vehicle. However, suchconventional approaches face additional challenges, as illustrated inthe examples of FIGS. 1A-1B.

FIG. 1A illustrates an example scenario 100 that is illustrative ofvarious challenges that may be experienced by a vehicle 102. The vehicle102 can be, for example, a vehicle 640 of FIG. 6. In general, thevehicle 102 may be equipped with one or more sensors that can be used tocapture environmental information, such as information describing agiven road and objects present on or along the road. For example, insome instances, the vehicle 102 may be equipped with one or more sensorsin a sensor suite including optical cameras, LiDAR, radar, infraredcameras, and ultrasound equipment, to name some examples. Such sensorscan be used to collect information that can be used by the vehicle 102to understand its environment and objects within the environment. InFIG. 1A, the vehicle 102 is driving down a road 104 at nearly 55 milesper hour. The vehicle 102 detects debris 106 in its direction of travel.A primary on-board navigation system in the vehicle 102 must quicklydetermine whether to steer the vehicle 102 to the left 108 of the debris106, continue forward 110 through the debris 106, steer the vehicle 102to the right 112 of the debris 106, stop the vehicle 102, or take otherappropriate action. The primary on-board navigation system can determinea best trajectory for the vehicle 102 based on environmental informationcaptured by sensor data. In some instances, the vehicle 102 can includea backup on-board navigation system for added safety in case the primaryon-board navigation system fails. However, transitioning control of thevehicle 102 from the primary on-board navigation system to the backupon-board navigation system can pose numerous challenges, as illustratedin the example of FIG. 1B. In FIG. 1B, the vehicle 102 is driving downthe road 104. The vehicle 102 is equipped with conventional redundantnavigation systems including a primary on-board navigation system and abackup on-board navigation system. In this example, the primary andbackup navigation systems are not hardware- and bit-identical and, thus,may independently determine different trajectories for navigating thevehicle 102. For example, while driving down the road 104, sensors ofthe vehicle 102 can detect the debris 106 that is present on the road104. To avoid the debris 106, the primary navigation system maydetermine a first trajectory 158 that steers to the left of the debris106 to avoid collision with the debris 106 while the backup navigationsystem may determine a second trajectory 162 that steers to the right ofthe debris 106 to avoid the collision. While both trajectories 158, 162may each provide a trajectory that can avoid the debris 106, the vehicle102 can only physically follow a single trajectory. In a scenario wherethe primary navigation system is controlling the vehicle 102, theprimary navigation system can provide initial instructions for thevehicle 102 to avoid the debris 106 by steering left according to itsfirst trajectory 158. At some point in time, the primary navigationsystem may experience a failure which results in the backup navigationsystem assuming control of the vehicle 102. As control of the vehicle102 transitions from the primary navigation system to the backupnavigation system, the backup navigation system can instruct the vehicle102 to proceed along its planned trajectory 162. However, in thisexample, the vehicle 102 had already been instructed to navigatecorresponding to the first trajectory 158 by the primary navigationsystem before its failure. The vehicle 102 has started adjusting itslow-level motion control components (e.g., actuators controlling asteering wheel, acceleration, etc.) to navigate the vehicle 102 based onthe first trajectory 158. As a result, the vehicle 102 is partiallyfollowing the trajectory 158 when the backup navigation system assumescontrol of the vehicle 102. In this example, the backup navigationsystem may attempt to re-align the vehicle 102 to follow the secondtrajectory 162 that was planned by the backup navigation system.However, the vehicle 102 may not be able to instantaneously modify itsoperation (e.g., change tire direction, reduce speed, etc.) to followthe second trajectory 162 without creating hazardous conditions in theprocess, as illustrated by a third trajectory 160 that may result whenthe backup navigation system attempts to re-align the vehicle 102 tofollow the second trajectory 162. To address this problem, oneconventional approach involves informing the backup navigation system ofthe first trajectory 158 that was planned by the primary navigationsystem. Under this conventional approach, the backup navigation systemwould attempt to control the vehicle 102 based at least in part on thefirst trajectory 158 planned by the failed primary navigation system.However, in this conventional approach, the first trajectory 158 couldhave been erroneous due to the failure of the primary navigation system.Further, even if the first trajectory 158 is not erroneous, it couldconflict with the second trajectory 162. For example, as illustrated,the first trajectory 158 may instruct the vehicle to steer left andlow-level motion control components (e.g., a steering wheel controlcomponent, a brake control component, an accelerator control component,an engine control component, or the like) could already reflect theinstructions to steer the vehicle to the left. When the backupnavigation system assumes control of the vehicle 102 upon the detectionof a failure in the primary navigation system, the second trajectory 162may not be immediately applied to the low-level motion controlcomponents that are reflecting motion instructed by the first trajectory158. Thus, relying on the first trajectory 158 in any way when thesecond navigation system assumes control can result in unpredictabilityand possible hazardous conditions, as discussed further in reference toFIG. 2.

FIG. 2 illustrates an example conventional configuration 200 of aredundant navigation systems, according to conventional technology. Asshown in the example of FIG. 2, the example conventional configuration200 can include a first navigation system including a primary computingsystem 202, which can be a primary computing system for the operation ofthe vehicle. The conventional configuration 200 also includes a secondnavigation system including a backup computing system 232, which can bea backup computing system for operation of the vehicle. The primarycomputing system 202 and backup computing system 232 can receive sensordata from a plurality of sensors 220 configured to provide informationabout an environment surrounding a vehicle. Some example sensors can besensors 644 in FIG. 6. The primary computing system 202 can include aperception module 204, a prediction module 206, a planning module 208,and a control module 210. In the conventional configuration 200, thebackup computing system 232, similar to the primary computing system202, can include its own perception module 234, prediction module 236,planning module 238, and control module 240. Generally, the perceptionmodule 204 can be configured to collect information about theenvironment surrounding the vehicle and extract relevant information.The perception module 204 can develop a contextual understanding of theenvironment, such as where obstacles are located, detect road signs ormarkings, or categorize detected objects. Further, the perception module204 can determine or localize a position of the vehicle with respect tothe environment. Once the perception module 204 determines itsenvironment and successfully localizes the vehicle in the environment,it can provide such information to the prediction module 206. Theprediction module 206 can be configured to predict locations andtrajectories of the detected objects (e.g., vehicles, pedestrians, deer,debris, etc.). The prediction module 206 can provide its predictions tothe planning module 208. The planning module 208 can be configured tomake high-level decisions, such as which trajectory the vehicle shouldtravel from a starting location to a destination location. The planningmodule 208 can provide planned trajectories to the perception module 204in a feedback loop. The feedback loop can improve functions of theperception module 204, prediction module 206, or planning module 208.For example, if the vehicle is turning left based on a plannedtrajectory, and provides some or all of its trajectory-relatedinformation back to the perception module 204, the perception module 204can better filter and process the sensor data 220 to improve contextualunderstanding and localization. Similarly, the prediction module 206 canalso benefit from the feedback loop as it can better focus on predictingwhat is likely to happen along the planned trajectory in the future.Continuing with the description of the primary computing system 202, theplanning module 208 can provide its planned trajectories to the controlmodule 210. The control module 210 can interpret the plannedtrajectories for high-level decisions (e.g., steer left 45 degrees whileslowing down speed to 15 mph) and can provide a set of specific controlinstructions to low-level motion control components 224 that navigatethe vehicle to correspond to the planned trajectories. For example, thevehicle may be instructed to rotate a steering wheel counter-clockwisefor a certain amount at a certain rate while applying brakes gradually.The perception module 234, the prediction module 236, the planningmodule 238, and the control module 240 of the backup computing system232 function in a manner similar to the perception module 204, theprediction module 206, the planning module 208, and the control module210 of the primary computing system 202.

Each of the control modules 210, 240 of the primary computing system 202and the backup computing system 232 can individually determineinstructions for controlling vehicle motion control components 224. Theexample conventional configuration 200 can include a health monitormodule 222 that collects information including system health informationfrom the primary computing system 202 and backup computing system 232.For example, the health monitor module 222 can permit the control module210 of the primary computing system 202 to control motion controlcomponents 224 if satisfied with system health information provided bythe primary computing system 202. However, if system health informationprovided by the primary computing system 202 indicates a system failure,then the health monitor module 222 can permit the control module 240 ofthe backup computing system 232 to assume control of the vehicle. FIG. 2also illustrates use of a conventional signal to communicate trajectoryinformation between the primary computing system 202 and the backupcomputing system 232. For example, the planning module 208 of theprimary computing system 202 can provide its planned trajectory as asignal 212 to one or more modules of the backup computing system 232.Under this conventional approach, the backup computing system 232 canreceive and use the planned trajectory of the primary computing system202 to determine its own trajectory at the planning module 238. However,the trajectory planned by the primary computing system 202 can conflictwith a trajectory planned by the backup computing system 232, therebycreating hazardous conditions, as described above in reference to FIG.1B.

An improved approach in accordance with the disclosed technologyovercomes the foregoing and other disadvantages associated withconventional approaches. In various embodiments, a backup navigationsystem that assumes control of a vehicle can generate and use anemulated trajectory to navigate the vehicle without relying ontrajectories that were planned by a failed primary navigation system. Insome embodiments, the emulated trajectory can be generated based oninformation describing actual vehicle motion or control signals providedto motion control components. In some embodiments, the emulatedtrajectory can be an extrapolation of vehicle motion or assumed currenttrajectory. For example, the extrapolation, in some instances, can be alinear extrapolation of the vehicle motion. In some embodiments, thelinear extrapolation of the vehicle motion reflects an instantaneousvelocity of the vehicle at or near the time of the transition ofcontrol. The generation and adoption of an emulated trajectory providesat least two advantages. First, the emulated trajectory is generatedbased on current states as detected from vehicle motion controlcomponents and can be generated at a higher frequency than conventionalapproaches for trajectory planning. The emulated trajectory can thus begenerated in real-time (or near real-time) to help ensure that acontinuity constraint requirement for the vehicle remains satisfieddespite an unforeseen primary computing system failure so that thenavigation of the vehicle is more comfortable for passengers while thenavigation still allows for appropriate path planning around obstacles.Second, the conventional approach of providing a trajectory planned by afailed primary navigation system to a backup navigation systemintroduces an additional input variable to the navigation controlprocess. The additional input variable can complicate engineering,implementation, and testing efforts related to the redundant systems.The disclosed technology improves upon the conventional approaches bygreatly simplifying development and maintenance of redundant navigationsystems while helping ensure seamless and safe transitioning betweenredundant navigation systems.

FIG. 3A illustrates an example 300 of a vehicle system 302, according toan embodiment of the disclosed technology. As shown in the example ofFIG. 3A, the vehicle system 302 can include sensors 304, a runtimesystem 308, a primary computing system (e.g., a first computing system)320, a backup computing system (e.g., a second computing system) 330,and motion control components 344 for controlling a vehicle in which thevehicle system 302 is implemented. The example vehicle system 302 caninclude at least one data store 306. In some embodiments, some or all ofthe functionality performed by the vehicle system 302 and itssub-modules may be performed by one or more computing systemsimplemented in a vehicle, such as a vehicle system 640 of FIG. 6. Thecomponents (e.g., modules, elements, etc.) shown in this figure and allfigures herein are exemplary only, and other implementations may includeadditional, fewer, integrated, or different components. For example,although only the primary computing system 320 and backup computingsystem 330 are shown in FIG. 3A, three or more computing systems may beincluded in the vehicle system 302. Some components may not be shown soas not to obscure relevant details.

The runtime system 308 can include a health monitor module 310 and anarbiter module 312. The runtime system 308 can be configured tocommunicate and operate with the at least one data store 306, as shownin the example system 300. The at least one data store 306 can beconfigured to store and maintain various types of data. For example, thedata store 306 can store hardware profiles, including timing andresponse profiles, of motion control components 344, diagnostic codesfor the motion control components 344, handling routines for types offailures that may be experienced by a computing system (e.g., primarycomputing system 320 or backup computing system 330), event logs, andthe like. In some embodiments, some or all data stored in the data store306 can be stored by the vehicle 640 of FIG. 6. The runtime system 308can access data stored in the data store 306 to configure the healthmonitor module 310 to detect primary computing system failures anddetermine vehicle control instructions in case of such failure.

The health monitor module 310 can be configured to receive or accessdiagnostics (e.g., system health diagnostics) from the primary computingsystem 320 and the backup computing system 330. The diagnosticinformation associated with the primary computing system 320 or thebackup computing system 330 can indicate a healthy state, a failedstate, a warning, or the like. In some embodiments, the health monitormodule 310 may store the diagnostics in an event log stored in the datastore 306. In some embodiments, each of the primary computing system 320and the backup computing system 330 may include a health monitor modulewhich can provide collected diagnostic information to the health monitormodule 310.

In some embodiments, the arbiter module 312 can be configured to receivediagnostics from the health monitor module 310 and, upon a detection ofa failure of the primary computing system 320, can transition control ofthe vehicle to the backup computing system 330. The arbiter module 312can provide a selection mechanism (e.g., a multiplexer) for a controlmodule 342 of the backup computing system 330 and its counterpartcontrol module of the primary computing system 320 so that only one setof control signals from a control module can be provided to the motioncontrol components 344. The selection mechanism can determine which setof control signals to provide to the motion control components 344 basedon the diagnostics as detected and processed by the health monitormodule 310. For example, if the primary computing system 320 is in afailed state, then the selection mechanism provided by the arbitermodule 312 can provide control signals generated by the control module342 of the backup computing system 330.

As shown, the backup computing system 330 can include a perceptionmodule 332, a prediction module 334, a planning module 336, a trajectoryemulation module 338, a trajectory selection module 340, and the controlmodule 342. Likewise, the primary computing system 320 can include itsown perception module, prediction module, planning module, trajectoryemulation module, trajectory selection module, and control module. Theseperception, prediction, planning, and control modules can perform thesame or similar operations as corresponding modules discussed inreference to FIG. 2. Further, a trajectory emulation module 338 and atrajectory selection module 340 of the backup computing system 330 canbe configured to perform the same operations, as described below.

The trajectory emulation module 338 can generate, or otherwisedetermine, an emulated trajectory based on current states of motioncontrol components 344. In some embodiments, the emulated trajectory canbe continuously generated. In some embodiments, the emulated trajectorycan be generated at or shortly after detection of a failure at theprimary computing system 320. The motion control components 344 can becomponents that individually or collectively control motion of thevehicle. For example, the motion control components 344 can include asteering wheel control component, a brake control component, anaccelerator control component, an engine control component, or the like.The motion control components 344 can interpret control signals providedby the control module 342 and effectuate change in vehicle motion. Insome embodiments, the trajectory emulation module 338 can access currentstates of the motion control components 344 to generate emulatedtrajectories. For example, the trajectory emulation module 338 candetermine an emulated trajectory from an angular orientation of asteering wheel, vehicle acceleration, vehicle braking, or revolution ofan engine to determine vehicle motion including velocity (e.g.,direction and speed) or acceleration of the vehicle at the instance. Insome embodiments, the trajectory emulation module 338 can snoop controlsignals for controlling the motion control components 344 (e.g.,snooping on a signal bus) and can determine how the vehicle isinstructed to navigate. Each of the motion control components 344 can beassociated with various parameters that describe the current states ofthe motion control components 344. For example, angle, power, torque,and the like can be some of the various parameters. Some parameters canbe derivatives of other parameters, such as angular velocity or angularacceleration. The parameters can provide information on current ornear-future vehicle motion. In some embodiments, the trajectory module338 can generate the emulated trajectory by extrapolating vehiclemotion. In some embodiments, the extrapolation may be a linearextrapolation. Generally, an amount of time needed to determine theemulated trajectory is substantially shorter (e.g., generated faster)than an amount of time required for the backup computing system 330 togenerate a new planned trajectory from the sensor data. Thus, the backupcomputing system 330 can determine an emulated trajectory faster than anew planned trajectory. For example, the backup computing system 330 maydetermine a planned trajectory every second and can determine hundredsof emulated trajectories within the same period of time. Such values areexamples, and many variations are possible.

The trajectory selection module 340 can be configured to receive aplanned trajectory from the planning module 336 and an emulatedtrajectory from the trajectory emulation module 338. The trajectoryselection module 340 can then select a trajectory to provide to thecontrol module 342. For example, the runtime system 308 can instruct thebackup computing system 330 to select the planned trajectory or theemulated trajectory based on diagnostics related to the primarycomputing system 320. For example, the primary computing system 320 cancontinuously or periodically provide its diagnostics to the healthmonitor module 310. When the primary computing system 320 is operatingin a normal state (e.g., no failures or warnings reported by the primarycomputing system 320), the backup computing system 330 continues toindependently determine planned trajectories with the planning module336. However, these planned trajectories are not used to control thevehicle since the primary computing system 320 is operating in a normalstate. When the health monitor module 310 determines that the primarycomputing system 320 has experienced a failure, the runtime system 308can instruct the trajectory selection module 340 to use an emulatedtrajectory determined by the trajectory emulation module 338 rather thana trajectory that was planned by the planning module 336. Manyvariations to the illustrated example system in FIG. 3A are possible andthere can be additional, fewer, or alternative modules in similar oralternative configurations. Such similar or alternative configurationsthat ensure the functionalities described herein are all within thescope of various embodiments of the present invention unless otherwisestated.

FIG. 3B illustrates differences between example travel paths determinedby conventional technology and the disclosed technology. For example,the example travel path provided by conventional technology can bedetermined by the conventional navigation system 200 of FIG. 2. In thisexample, a vehicle 354, while navigating along a trajectory provided bya primary computing system, experiences a failure in the primarycomputing system. The vehicle 354 transitions control to a backupcomputing system. The vehicle 354 is instructed to follow a plannedtrajectory 358. However, because vehicle motion (e.g., momentum) is inconflict with the planned trajectory 358, the vehicle 354 cannotimmediately navigate along the planned trajectory 358. The vehicle 354,therefore, ends up moving some distance 356 before it can be effectivelycontrolled by the backup computing system. As discussed, each plannedtrajectory can require some amount of time to be generated and,depending on vehicle velocity, the distance 356 can be substantial. Inthis example, the vehicle 354 advances to a position 360 aftertravelling the distance 356. The backup computing system can attempt tore-align the vehicle 354 to correspond to the planned trajectory 358.However, during re-alignment, the vehicle 354 may end up following anundesired trajectory 362 which may result in a hazardous condition, suchas driving over some debris 364.

In contrast, according to the disclosed technology, a vehicle 384includes a backup computing system that determines and controls thevehicle 384 based on an emulated trajectory 388. In some embodiments,the emulated trajectory 388 can be an extrapolation of vehicle motion orcurrent assumed trajectory. As discussed in FIG. 3A, the emulatedtrajectory 388 can be generated at a much higher frequency than aplanned trajectory provided by the backup computing system. For at leasta short duration, the vehicle 384 can travel along the emulatedtrajectory 388 to a new position 386. Soon after, the backup computingsystem can continue operating the vehicle 384 by generating a newplanned trajectory 392 consistent with a motion and direction of travelof the vehicle 384, thus avoiding a hazardous condition, such as drivingover some debris 390.

FIG. 4 illustrates example timelines demonstrating improvements of thedisclosed technology over conventional technology. The timelinesrepresent a progression of time from left to right. The timelines 420,430, 440 are provided to better illustrate differences betweenconventional technologies and the disclosed technology. An eventtimeline 420 describes events related to a vehicle 402. A conventionaltechnology timeline 430 describes how conventional technology mayrespond to events occurring in the event timeline 420. An improvedtechnology timeline 440 illustrates how the disclosed technology canrespond to events based on improvements described in reference to FIGS.3A and 3B. The timelines 420, 430, and 440 are provided as examples andsuch timelines can vary. Additionally, illustrated trajectories 406,408, 410, 412 are for illustrative purposes only and many variations arepossible.

At time t_0, the vehicle 402 is in a healthy state. A primary computingsystem (in FIG. 4, “primary”) associated with the vehicle 402 iscontrolling the vehicle 402. The vehicle 402 detects, or otherwisedetermines, debris 404 in its path of vehicle motion. To avoid apotential collision, the primary computing system can generate a plannedtrajectory 406 for the vehicle 402, and can provide control signals toimplement the planned trajectory 406 such that the vehicle 402 followsthe planned trajectory 406. A backup computing system (in FIG. 4,“backup”) of the vehicle 402 can similarly generate its own plannedtrajectory 408 that can be different from the trajectory 406 planned bythe primary computing system. Although capable of controlling thevehicle 402, at this point in time the backup computing system isdecoupled from motion control components and therefore the vehicle 402moves as instructed by the primary computing system. According totimeline 430 describing conventional technology, at time t_0, theprimary computing system instructs the vehicle to steer left and followa left planned trajectory 406 while the backup computing system plans aright planned trajectory 408. Similarly, according to timeline 440describing the disclosed technology, at time t_0, the primary computingsystem instructs the vehicle to steer left and follow the left plannedtrajectory 406 while the backup computing system plans the right plannedtrajectory 408.

At or shortly after a time of failure (t_failure), a runtime system inthe vehicle 402 receives an indication that the primary computing systemhas failed. The runtime system can then instruct the primary computingsystem to relinquish control of the vehicle 402 and can instruct thebackup computing system to assume control of the vehicle 402. Before thebackup computing system can assume control of the vehicle 402, thevehicle 402 has already proceeded at least partially along thetrajectory 406 that was planned by the primary computing system. Basedon conventional technology, once the backup computing system assumescontrol of the vehicle 402, the backup computing system can instruct thevehicle 402 to follow the right planned trajectory 408 that was plannedby the backup computing system. However, motion control components ofthe vehicle 402, which have been following instructions from the primarycomputing system, may not permit the vehicle 402 to immediatelytransition to the right planned trajectory 408. Accordingly, the vehicle402 may end up following an undesirable trajectory 410 due to the backupcomputing system abruptly transitioning the vehicle 402 from the leftplanned trajectory 406 to the right planned trajectory 408. As a result,at time t_3, conventional technology may cause the vehicle 402 to followthe trajectory 410 into a potential collision with debris 404. Even ifthe vehicle 402 avoids the potential collision with the debris 404, theabrupt transitioning instructed by the conventional technology can causeuncomfortable driving behavior. In contrast, the improved technology canhelp avoid such abrupt transitions that can cause the vehicle 402 tofollow such undesirable trajectories. According to the disclosedtechnology, the primary computing system does not provide the backupcomputing system with a planned trajectory. For example, continuing withthe improved technology timeline 440, at or shortly after t_failure, thebackup computing system can generate an emulated trajectory 412reflecting a current motion of the vehicle 402. At or shortly aftert_failure, the backup computing system can adopt the emulated trajectory412 and provide control signals to motion control components of thevehicle 402 based on the emulated trajectory 412, which may be anextrapolation based on current vehicle motion or based on assumedcurrent trajectory. The control signals allows the vehicle 402 tonavigate along the emulated trajectory 412 based on current vehiclemotion. In this example, use of the emulated trajectory 412 can helptransition control of the vehicle 402 from the primary computing systemto the backup computing system in a safe and seamless manner. In someembodiments, at time t_2, the backup computing system can generate a newplanned trajectory that successfully reconciles its new plannedtrajectory with a current motion of the vehicle 402. In suchembodiments, the backup computing system may resume controlling thevehicle 402 based on planned trajectories instead of relying onsubsequent emulated trajectories. In some embodiments, a duration of useof an emulated trajectory can be a predetermined duration of time or canbe a duration of time that is determined dynamically. Once handover fromthe primary computing system to the backup computing system is complete,the backup computing system can continue planning its own trajectoriesand controlling the vehicle 402 based on the planned trajectories, asdiscussed above.

FIG. 5 illustrates an example method 500, according to an embodiment ofthe disclosed technology. At block 502, the example method 500 canreceive sensor data from a plurality of sensors configured to provideinformation about an environment surrounding a vehicle to at least afirst computing system and a second computing system associated with thevehicle, wherein the first computing system and the second computingsystem are each capable of generating navigation instructions for thevehicle based at least in part on the received sensor data. At block504, the example method 500 can determine, by the first computingsystem, a first planned trajectory based on the sensor data. At block506, the example method 500 can navigate, by the first computing system,the vehicle based on the first planned trajectory. At block 508, theexample method 500 can transition control of the vehicle to the secondcomputing system based on a failure associated with the first computingsystem. At block 510, the example method 500 can determine, by thesecond computing system, an emulated trajectory based on data describinga current motion of the vehicle. At block 512, the example method 500can navigate, by the second computing system, the vehicle based on theemulated trajectory.

Many variations to the example method are possible. It should beappreciated that there can be additional, fewer, or alternative stepsperformed in similar or alternative orders, or in parallel, within thescope of the various embodiments discussed herein unless otherwisestated.

FIG. 6 illustrates an example block diagram of a transportationmanagement environment for matching ride requestors with vehicles. Inparticular embodiments, the environment may include various computingentities, such as a user computing device 630 of a user 601 (e.g., aride provider or requestor), a transportation management system 660, avehicle 640, and one or more third-party systems 670. The vehicle 640can be autonomous, semi-autonomous, or manually drivable. The computingentities may be communicatively connected over any suitable network 610.As an example and not by way of limitation, one or more portions ofnetwork 610 may include an ad hoc network, an extranet, a virtualprivate network (VPN), a local area network (LAN), a wireless LAN(WLAN), a wide area network (WAN), a wireless WAN (WWAN), a metropolitanarea network (MAN), a portion of the Internet, a portion of PublicSwitched Telephone Network (PSTN), a cellular network, or a combinationof any of the above. In particular embodiments, any suitable networkarrangement and protocol enabling the computing entities to communicatewith each other may be used. Although FIG. 6 illustrates a single userdevice 630, a single transportation management system 660, a singlevehicle 640, a plurality of third-party systems 670, and a singlenetwork 610, this disclosure contemplates any suitable number of each ofthese entities. As an example and not by way of limitation, the networkenvironment may include multiple users 601, user devices 630,transportation management systems 660, vehicles 640, third-party systems670, and networks 610. In some embodiments, some or all modules of thesmart monitoring module 202 may be implemented by one or more computingsystems of the transportation management system 660. In someembodiments, some or all modules of the smart monitoring module 202 maybe implemented by one or more computing systems in the vehicle 640.

The user device 630, transportation management system 660, vehicle 640,and third-party system 670 may be communicatively connected orco-located with each other in whole or in part. These computing entitiesmay communicate via different transmission technologies and networktypes. For example, the user device 630 and the vehicle 640 maycommunicate with each other via a cable or short-range wirelesscommunication (e.g., Bluetooth, NFC, WI-FI, etc.), and together they maybe connected to the Internet via a cellular network that is accessibleto either one of the devices (e.g., the user device 630 may be asmartphone with LTE connection). The transportation management system660 and third-party system 670, on the other hand, may be connected tothe Internet via their respective LAN/WLAN networks and Internet ServiceProviders (ISP). FIG. 6 illustrates transmission links 650 that connectuser device 630, vehicle 640, transportation management system 660, andthird-party system 670 to communication network 610. This disclosurecontemplates any suitable transmission links 650, including, e.g., wireconnections (e.g., USB, Lightning, Digital Subscriber Line (DSL) or DataOver Cable Service Interface Specification (DOCSIS)), wirelessconnections (e.g., WI-FI, WiMAX, cellular, satellite, NFC, Bluetooth),optical connections (e.g., Synchronous Optical Networking (SONET),Synchronous Digital Hierarchy (SDH)), any other wireless communicationtechnologies, and any combination thereof. In particular embodiments,one or more links 650 may connect to one or more networks 610, which mayinclude in part, e.g., ad-hoc network, the Intranet, extranet, VPN, LAN,WLAN, WAN, WWAN, MAN, PSTN, a cellular network, a satellite network, orany combination thereof. The computing entities need not necessarily usethe same type of transmission link 650. For example, the user device 630may communicate with the transportation management system via a cellularnetwork and the Internet, but communicate with the vehicle 640 viaBluetooth or a physical wire connection.

In particular embodiments, the transportation management system 660 mayfulfill ride requests for one or more users 601 by dispatching suitablevehicles. The transportation management system 660 may receive anynumber of ride requests from any number of ride requestors 601. Inparticular embodiments, a ride request from a ride requestor 601 mayinclude an identifier that identifies the ride requestor in the system660. The transportation management system 660 may use the identifier toaccess and store the ride requestor's 601 information, in accordancewith the requestor's 601 privacy settings. The ride requestor's 601information may be stored in one or more data stores (e.g., a relationaldatabase system) associated with and accessible to the transportationmanagement system 660. In particular embodiments, ride requestorinformation may include profile information about a particular riderequestor 601. In particular embodiments, the ride requestor 601 may beassociated with one or more categories or types, through which the riderequestor 601 may be associated with aggregate information about certainride requestors of those categories or types. Ride information mayinclude, for example, preferred pick-up and drop-off locations, drivingpreferences (e.g., safety comfort level, preferred speed, rates ofacceleration/deceleration, safety distance from other vehicles whentravelling at various speeds, route, etc.), entertainment preferencesand settings (e.g., preferred music genre or playlist, audio volume,display brightness, etc.), temperature settings, whether conversationwith the driver is welcomed, frequent destinations, historical ridingpatterns (e.g., time of day of travel, starting and ending locations,etc.), preferred language, age, gender, or any other suitableinformation. In particular embodiments, the transportation managementsystem 660 may classify a user 601 based on known information about theuser 601 (e.g., using machine-learning classifiers), and use theclassification to retrieve relevant aggregate information associatedwith that class. For example, the system 660 may classify a user 601 asa young adult and retrieve relevant aggregate information associatedwith young adults, such as the type of music generally preferred byyoung adults.

Transportation management system 660 may also store and access rideinformation. Ride information may include locations related to the ride,traffic data, route options, optimal pick-up or drop-off locations forthe ride, or any other suitable information associated with a ride. Asan example and not by way of limitation, when the transportationmanagement system 660 receives a request to travel from San FranciscoInternational Airport (SFO) to Palo Alto, Calif., the system 660 mayaccess or generate any relevant ride information for this particularride request. The ride information may include, for example, preferredpick-up locations at SFO; alternate pick-up locations in the event thata pick-up location is incompatible with the ride requestor (e.g., theride requestor may be disabled and cannot access the pick-up location)or the pick-up location is otherwise unavailable due to construction,traffic congestion, changes in pick-up/drop-off rules, or any otherreason; one or more routes to navigate from SFO to Palo Alto; preferredoff-ramps for a type of user; or any other suitable informationassociated with the ride. In particular embodiments, portions of theride information may be based on historical data associated withhistorical rides facilitated by the system 660. For example, historicaldata may include aggregate information generated based on past rideinformation, which may include any ride information described herein andtelemetry data collected by sensors in vehicles and user devices.Historical data may be associated with a particular user (e.g., thatparticular user's preferences, common routes, etc.), a category/class ofusers (e.g., based on demographics), and all users of the system 660.For example, historical data specific to a single user may includeinformation about past rides that particular user has taken, includingthe locations at which the user is picked up and dropped off, music theuser likes to listen to, traffic information associated with the rides,time of the day the user most often rides, and any other suitableinformation specific to the user. As another example, historical dataassociated with a category/class of users may include, e.g., common orpopular ride preferences of users in that category/class, such asteenagers preferring pop music, ride requestors who frequently commuteto the financial district may prefer to listen to the news, etc. As yetanother example, historical data associated with all users may includegeneral usage trends, such as traffic and ride patterns. Usinghistorical data, the system 660 in particular embodiments may predictand provide ride suggestions in response to a ride request. Inparticular embodiments, the system 660 may use machine-learning, such asneural networks, regression algorithms, instance-based algorithms (e.g.,k-Nearest Neighbor), decision-tree algorithms, Bayesian algorithms,clustering algorithms, association-rule-learning algorithms,deep-learning algorithms, dimensionality-reduction algorithms, ensemblealgorithms, and any other suitable machine-learning algorithms known topersons of ordinary skill in the art. The machine-learning models may betrained using any suitable training algorithm, including supervisedlearning based on labeled training data, unsupervised learning based onunlabeled training data, and semi-supervised learning based on a mixtureof labeled and unlabeled training data.

In particular embodiments, transportation management system 660 mayinclude one or more server computers. Each server may be a unitaryserver or a distributed server spanning multiple computers or multipledatacenters. The servers may be of various types, such as, for exampleand without limitation, web server, news server, mail server, messageserver, advertising server, file server, application server, exchangeserver, database server, proxy server, another server suitable forperforming functions or processes described herein, or any combinationthereof. In particular embodiments, each server may include hardware,software, or embedded logic components or a combination of two or moresuch components for carrying out the appropriate functionalitiesimplemented or supported by the server. In particular embodiments,transportation management system 660 may include one or more datastores. The data stores may be used to store various types ofinformation, such as ride information, ride requestor information, rideprovider information, historical information, third-party information,or any other suitable type of information. In particular embodiments,the information stored in the data stores may be organized according tospecific data structures. In particular embodiments, each data store maybe a relational, columnar, correlation, or any other suitable type ofdatabase system. Although this disclosure describes or illustratesparticular types of databases, this disclosure contemplates any suitabletypes of databases. Particular embodiments may provide interfaces thatenable a user device 630 (which may belong to a ride requestor orprovider), a transportation management system 660, vehicle system 640,or a third-party system 670 to process, transform, manage, retrieve,modify, add, or delete the information stored in the data store.

In particular embodiments, transportation management system 660 mayinclude an authorization server (or any other suitable component(s))that allows users 601 to opt-in to or opt-out of having theirinformation and actions logged, recorded, or sensed by transportationmanagement system 660 or shared with other systems (e.g., third-partysystems 670). In particular embodiments, a user 601 may opt-in oropt-out by setting appropriate privacy settings. A privacy setting of auser may determine what information associated with the user may belogged, how information associated with the user may be logged, wheninformation associated with the user may be logged, who may loginformation associated with the user, whom information associated withthe user may be shared with, and for what purposes informationassociated with the user may be logged or shared. Authorization serversmay be used to enforce one or more privacy settings of the users 601 oftransportation management system 660 through blocking, data hashing,anonymization, or other suitable techniques as appropriate.

In particular embodiments, third-party system 670 may be anetwork-addressable computing system that may provide HD maps or hostGPS maps, customer reviews, music or content, weather information, orany other suitable type of information. Third-party system 670 maygenerate, store, receive, and send relevant data, such as, for example,map data, customer review data from a customer review website, weatherdata, or any other suitable type of data. Third-party system 670 may beaccessed by the other computing entities of the network environmenteither directly or via network 610. For example, user device 630 mayaccess the third-party system 670 via network 610, or via transportationmanagement system 660. In the latter case, if credentials are requiredto access the third-party system 670, the user 601 may provide suchinformation to the transportation management system 660, which may serveas a proxy for accessing content from the third-party system 670.

In particular embodiments, user device 630 may be a mobile computingdevice such as a smartphone, tablet computer, or laptop computer. Userdevice 630 may include one or more processors (e.g., CPU, GPU), memory,and storage. An operating system and applications may be installed onthe user device 630, such as, e.g., a transportation applicationassociated with the transportation management system 660, applicationsassociated with third-party systems 670, and applications associatedwith the operating system. User device 630 may include functionality fordetermining its location, direction, or orientation, based on integratedsensors such as GPS, compass, gyroscope, or accelerometer. User device630 may also include wireless transceivers for wireless communicationand may support wireless communication protocols such as Bluetooth,near-field communication (NFC), infrared (IR) communication, WI-FI, and2G/3G/4G/LTE mobile communication standard. User device 630 may alsoinclude one or more cameras, scanners, touchscreens, microphones,speakers, and any other suitable input-output devices.

In particular embodiments, the vehicle 640 may be equipped with an arrayof sensors 644, a navigation system 646, and a ride-service computingdevice 648. In particular embodiments, a fleet of vehicles 640 may bemanaged by the transportation management system 660. The fleet ofvehicles 640, in whole or in part, may be owned by the entity associatedwith the transportation management system 660, or they may be owned by athird-party entity relative to the transportation management system 660.In either case, the transportation management system 660 may control theoperations of the vehicles 640, including, e.g., dispatching selectvehicles 640 to fulfill ride requests, instructing the vehicles 640 toperform select operations (e.g., head to a service center orcharging/fueling station, pull over, stop immediately, self-diagnose,lock/unlock compartments, change music station, change temperature, andany other suitable operations), and instructing the vehicles 640 toenter select operation modes (e.g., operate normally, drive at a reducedspeed, drive under the command of human operators, and any othersuitable operational modes).

In particular embodiments, the vehicles 640 may receive data from andtransmit data to the transportation management system 660 and thethird-party system 670. Examples of received data may include, e.g.,instructions, new software or software updates, maps, 3D models, trainedor untrained machine-learning models, location information (e.g.,location of the ride requestor, the vehicle 640 itself, other vehicles640, and target destinations such as service centers), navigationinformation, traffic information, weather information, entertainmentcontent (e.g., music, video, and news) ride requestor information, rideinformation, and any other suitable information. Examples of datatransmitted from the vehicle 640 may include, e.g., telemetry and sensordata, determinations/decisions based on such data, vehicle condition orstate (e.g., battery/fuel level, tire and brake conditions, sensorcondition, speed, odometer, etc.), location, navigation data, passengerinputs (e.g., through a user interface in the vehicle 640, passengersmay send/receive data to the transportation management system 660 andthird-party system 670), and any other suitable data.

In particular embodiments, vehicles 640 may also communicate with eachother, including those managed and not managed by the transportationmanagement system 660. For example, one vehicle 640 may communicate withanother vehicle data regarding their respective location, condition,status, sensor reading, and any other suitable information. Inparticular embodiments, vehicle-to-vehicle communication may take placeover direct short-range wireless connection (e.g., WI-FI, Bluetooth,NFC) or over a network (e.g., the Internet or via the transportationmanagement system 660 or third-party system 670), or both.

In particular embodiments, a vehicle 640 may obtain and processsensor/telemetry data. Such data may be captured by any suitablesensors. For example, the vehicle 640 may have a Light Detection andRanging (LiDAR) sensor array of multiple LiDAR transceivers that areconfigured to rotate 360°, emitting pulsed laser light and measuring thereflected light from objects surrounding vehicle 640. In particularembodiments, LiDAR transmitting signals may be steered by use of a gatedlight valve, which may be a MEMs device that directs a light beam usingthe principle of light diffraction. Such a device may not use a gimbaledmirror to steer light beams in 360° around the vehicle. Rather, thegated light valve may direct the light beam into one of several opticalfibers, which may be arranged such that the light beam may be directedto many discrete positions around the vehicle. Thus, data may becaptured in 360° around the vehicle, but no rotating parts may benecessary. A LiDAR is an effective sensor for measuring distances totargets, and as such may be used to generate a three-dimensional (3D)model of the external environment of the vehicle 640. As an example andnot by way of limitation, the 3D model may represent the externalenvironment including objects such as other cars, curbs, debris,objects, and pedestrians up to a maximum range of the sensor arrangement(e.g., 50, 100, or 200 meters). As another example, the vehicle 640 mayhave optical cameras pointing in different directions. The cameras maybe used for, e.g., recognizing roads, lane markings, street signs,traffic lights, police, other vehicles, and any other visible objects ofinterest. To enable the vehicle 640 to “see” at night, infrared camerasmay be installed. In particular embodiments, the vehicle may be equippedwith stereo vision for, e.g., spotting hazards such as pedestrians ortree branches on the road. As another example, the vehicle 640 may haveradars for, e.g., detecting other vehicles and hazards afar.Furthermore, the vehicle 640 may have ultrasound equipment for, e.g.,parking and obstacle detection. In addition to sensors enabling thevehicle 640 to detect, measure, and understand the external world aroundit, the vehicle 640 may further be equipped with sensors for detectingand self-diagnosing the vehicle's own state and condition. For example,the vehicle 640 may have wheel sensors for, e.g., measuring velocity;global positioning system (GPS) for, e.g., determining the vehicle'scurrent geolocation; and inertial measurement units, accelerometers,gyroscopes, and odometer systems for movement or motion detection. Whilethe description of these sensors provides particular examples ofutility, one of ordinary skill in the art would appreciate that theutilities of the sensors are not limited to those examples. Further,while an example of a utility may be described with respect to aparticular type of sensor, it should be appreciated that the utility maybe achieved using any combination of sensors. For example, the vehicle640 may build a 3D model of its surrounding based on data from itsLiDAR, radar, sonar, and cameras, along with a pre-generated mapobtained from the transportation management system 660 or thethird-party system 670. Although sensors 644 appear in a particularlocation on the vehicle 640 in FIG. 6, sensors 644 may be located in anysuitable location in or on the vehicle 640. Example locations forsensors include the front and rear bumpers, the doors, the frontwindshield, on the side panel, or any other suitable location.

In particular embodiments, the vehicle 640 may be equipped with aprocessing unit (e.g., one or more CPUs and GPUs), memory, and storage.The vehicle 640 may thus be equipped to perform a variety ofcomputational and processing tasks, including processing the sensordata, extracting useful information, and operating accordingly. Forexample, based on images captured by its cameras and a machine-visionmodel, the vehicle 640 may identify particular types of objects capturedby the images, such as pedestrians, other vehicles, lanes, curbs, andany other objects of interest.

In particular embodiments, the vehicle 640 may have a navigation system646 responsible for safely navigating the vehicle 640. In particularembodiments, the navigation system 646 may take as input any type ofsensor data from, e.g., a Global Positioning System (GPS) module,inertial measurement unit (IMU), LiDAR sensors, optical cameras, radiofrequency (RF) transceivers, or any other suitable telemetry or sensorymechanisms. The navigation system 646 may also utilize, e.g., map data,traffic data, accident reports, weather reports, instructions, targetdestinations, and any other suitable information to determine navigationroutes and particular driving operations (e.g., slowing down, speedingup, stopping, swerving, etc.). In particular embodiments, the navigationsystem 646 may use its determinations to control the vehicle 640 tooperate in prescribed manners and to guide the vehicle 640 to itsdestinations without colliding into other objects. Although the physicalembodiment of the navigation system 646 (e.g., the processing unit)appears in a particular location on the vehicle 640 in FIG. 6,navigation system 646 may be located in any suitable location in or onthe vehicle 640. Example locations for navigation system 646 includeinside the cabin or passenger compartment of the vehicle 640, near theengine/battery, near the front seats, rear seats, or in any othersuitable location.

In particular embodiments, the vehicle 640 may be equipped with aride-service computing device 648, which may be a tablet or any othersuitable device installed by transportation management system 660 toallow the user to interact with the vehicle 640, transportationmanagement system 660, other users 601, or third-party systems 670. Inparticular embodiments, installation of ride-service computing device648 may be accomplished by placing the ride-service computing device 648inside the vehicle 640, and configuring it to communicate with thevehicle 640 via a wired or wireless connection (e.g., via Bluetooth).Although FIG. 6 illustrates a single ride-service computing device 648at a particular location in the vehicle 640, the vehicle 640 may includeseveral ride-service computing devices 648 in several differentlocations within the vehicle. As an example and not by way oflimitation, the vehicle 640 may include four ride-service computingdevices 648 located in the following places: one in front of thefront-left passenger seat (e.g., driver's seat in traditional U.S.automobiles), one in front of the front-right passenger seat, one infront of each of the rear-left and rear-right passenger seats. Inparticular embodiments, ride-service computing device 648 may bedetachable from any component of the vehicle 640. This may allow usersto handle ride-service computing device 648 in a manner consistent withother tablet computing devices. As an example and not by way oflimitation, a user may move ride-service computing device 648 to anylocation in the cabin or passenger compartment of the vehicle 640, mayhold ride-service computing device 648, or handle ride-service computingdevice 648 in any other suitable manner. Although this disclosuredescribes providing a particular computing device in a particularmanner, this disclosure contemplates providing any suitable computingdevice in any suitable manner.

FIG. 7 illustrates an example computer system 700. In particularembodiments, one or more computer systems 700 perform one or more stepsof one or more methods described or illustrated herein. In particularembodiments, one or more computer systems 700 provide thefunctionalities described or illustrated herein. In particularembodiments, software running on one or more computer systems 700performs one or more steps of one or more methods described orillustrated herein or provides the functionalities described orillustrated herein. Particular embodiments include one or more portionsof one or more computer systems 700. Herein, a reference to a computersystem may encompass a computing device, and vice versa, whereappropriate. Moreover, a reference to a computer system may encompassone or more computer systems, where appropriate.

This disclosure contemplates any suitable number of computer systems700. This disclosure contemplates computer system 700 taking anysuitable physical form. As example and not by way of limitation,computer system 700 may be an embedded computer system, a system-on-chip(SOC), a single-board computer system (SBC) (such as, for example, acomputer-on-module (COM) or system-on-module (SOM)), a desktop computersystem, a laptop or notebook computer system, an interactive kiosk, amainframe, a mesh of computer systems, a mobile telephone, a personaldigital assistant (PDA), a server, a tablet computer system, anaugmented/virtual reality device, or a combination of two or more ofthese. Where appropriate, computer system 700 may include one or morecomputer systems 700; be unitary or distributed; span multiplelocations; span multiple machines; span multiple data centers; or residein a cloud, which may include one or more cloud components in one ormore networks. Where appropriate, one or more computer systems 700 mayperform without substantial spatial or temporal limitation one or moresteps of one or more methods described or illustrated herein. As anexample and not by way of limitation, one or more computer systems 700may perform in real time or in batch mode one or more steps of one ormore methods described or illustrated herein. One or more computersystems 700 may perform at different times or at different locations oneor more steps of one or more methods described or illustrated herein,where appropriate.

In particular embodiments, computer system 700 includes a processor 702,memory 704, storage 706, an input/output (I/O) interface 708, acommunication interface 710, and a bus 712. Although this disclosuredescribes and illustrates a particular computer system having aparticular number of particular components in a particular arrangement,this disclosure contemplates any suitable computer system having anysuitable number of any suitable components in any suitable arrangement.

In particular embodiments, processor 702 includes hardware for executinginstructions, such as those making up a computer program. As an exampleand not by way of limitation, to execute instructions, processor 702 mayretrieve (or fetch) the instructions from an internal register, aninternal cache, memory 704, or storage 706; decode and execute them; andthen write one or more results to an internal register, an internalcache, memory 704, or storage 706. In particular embodiments, processor702 may include one or more internal caches for data, instructions, oraddresses. This disclosure contemplates processor 702 including anysuitable number of any suitable internal caches, where appropriate. Asan example and not by way of limitation, processor 702 may include oneor more instruction caches, one or more data caches, and one or moretranslation lookaside buffers (TLBs). Instructions in the instructioncaches may be copies of instructions in memory 704 or storage 706, andthe instruction caches may speed up retrieval of those instructions byprocessor 702. Data in the data caches may be copies of data in memory704 or storage 706 that are to be operated on by computer instructions;the results of previous instructions executed by processor 702 that areaccessible to subsequent instructions or for writing to memory 704 orstorage 706; or any other suitable data. The data caches may speed upread or write operations by processor 702. The TLBs may speed upvirtual-address translation for processor 702. In particularembodiments, processor 702 may include one or more internal registersfor data, instructions, or addresses. This disclosure contemplatesprocessor 702 including any suitable number of any suitable internalregisters, where appropriate. Where appropriate, processor 702 mayinclude one or more arithmetic logic units (ALUs), be a multi-coreprocessor, or include one or more processors 702. Although thisdisclosure describes and illustrates a particular processor, thisdisclosure contemplates any suitable processor.

In particular embodiments, memory 704 includes main memory for storinginstructions for processor 702 to execute or data for processor 702 tooperate on. As an example and not by way of limitation, computer system700 may load instructions from storage 706 or another source (such asanother computer system 700) to memory 704. Processor 702 may then loadthe instructions from memory 704 to an internal register or internalcache. To execute the instructions, processor 702 may retrieve theinstructions from the internal register or internal cache and decodethem. During or after execution of the instructions, processor 702 maywrite one or more results (which may be intermediate or final results)to the internal register or internal cache. Processor 702 may then writeone or more of those results to memory 704. In particular embodiments,processor 702 executes only instructions in one or more internalregisters or internal caches or in memory 704 (as opposed to storage 706or elsewhere) and operates only on data in one or more internalregisters or internal caches or in memory 704 (as opposed to storage 706or elsewhere). One or more memory buses (which may each include anaddress bus and a data bus) may couple processor 702 to memory 704. Bus712 may include one or more memory buses, as described in further detailbelow. In particular embodiments, one or more memory management units(MMUs) reside between processor 702 and memory 704 and facilitateaccesses to memory 704 requested by processor 702. In particularembodiments, memory 704 includes random access memory (RAM). This RAMmay be volatile memory, where appropriate. Where appropriate, this RAMmay be dynamic RAM (DRAM) or static RAM (SRAM). Moreover, whereappropriate, this RAM may be single-ported or multi-ported RAM. Thisdisclosure contemplates any suitable RAM. Memory 704 may include one ormore memories 704, where appropriate. Although this disclosure describesand illustrates particular memory, this disclosure contemplates anysuitable memory.

In particular embodiments, storage 706 includes mass storage for data orinstructions. As an example and not by way of limitation, storage 706may include a hard disk drive (HDD), a floppy disk drive, flash memory,an optical disc, a magneto-optical disc, magnetic tape, or a UniversalSerial Bus (USB) drive or a combination of two or more of these. Storage706 may include removable or non-removable (or fixed) media, whereappropriate. Storage 706 may be internal or external to computer system700, where appropriate. In particular embodiments, storage 706 isnon-volatile, solid-state memory. In particular embodiments, storage 706includes read-only memory (ROM). Where appropriate, this ROM may bemask-programmed ROM, programmable ROM (PROM), erasable PROM (EPROM),electrically erasable PROM (EEPROM), electrically alterable ROM (EAROM),or flash memory or a combination of two or more of these. Thisdisclosure contemplates mass storage 706 taking any suitable physicalform. Storage 706 may include one or more storage control unitsfacilitating communication between processor 702 and storage 706, whereappropriate. Where appropriate, storage 706 may include one or morestorages 706. Although this disclosure describes and illustratesparticular storage, this disclosure contemplates any suitable storage.

In particular embodiments, I/O interface 708 includes hardware orsoftware, or both, providing one or more interfaces for communicationbetween computer system 700 and one or more I/O devices. Computer system700 may include one or more of these I/O devices, where appropriate. Oneor more of these I/O devices may enable communication between a personand computer system 700. As an example and not by way of limitation, anI/O device may include a keyboard, keypad, microphone, monitor, mouse,printer, scanner, speaker, still camera, stylus, tablet, touch screen,trackball, video camera, another suitable I/O device or a combination oftwo or more of these. An I/O device may include one or more sensors.This disclosure contemplates any suitable I/O devices and any suitableI/O interfaces 708 for them. Where appropriate, I/O interface 708 mayinclude one or more device or software drivers enabling processor 702 todrive one or more of these I/O devices. I/O interface 708 may includeone or more I/O interfaces 708, where appropriate. Although thisdisclosure describes and illustrates a particular I/O interface, thisdisclosure contemplates any suitable I/O interface.

In particular embodiments, communication interface 710 includes hardwareor software, or both providing one or more interfaces for communication(such as, for example, packet-based communication) between computersystem 700 and one or more other computer systems 700 or one or morenetworks. As an example and not by way of limitation, communicationinterface 710 may include a network interface controller (NIC) ornetwork adapter for communicating with an Ethernet or any otherwire-based network or a wireless NIC (WNIC) or wireless adapter forcommunicating with a wireless network, such as a WI-FI network. Thisdisclosure contemplates any suitable network and any suitablecommunication interface 710 for it. As an example and not by way oflimitation, computer system 700 may communicate with an ad hoc network,a personal area network (PAN), a local area network (LAN), a wide areanetwork (WAN), a metropolitan area network (MAN), or one or moreportions of the Internet or a combination of two or more of these. Oneor more portions of one or more of these networks may be wired orwireless. As an example, computer system 700 may communicate with awireless PAN (WPAN) (such as, for example, a Bluetooth WPAN), a WI-FInetwork, a WI-MAX network, a cellular telephone network (such as, forexample, a Global System for Mobile Communications (GSM) network), orany other suitable wireless network or a combination of two or more ofthese. Computer system 700 may include any suitable communicationinterface 710 for any of these networks, where appropriate.Communication interface 710 may include one or more communicationinterfaces 710, where appropriate. Although this disclosure describesand illustrates a particular communication interface, this disclosurecontemplates any suitable communication interface.

In particular embodiments, bus 712 includes hardware or software, orboth coupling components of computer system 700 to each other. As anexample and not by way of limitation, bus 712 may include an AcceleratedGraphics Port (AGP) or any other graphics bus, an Enhanced IndustryStandard Architecture (EISA) bus, a front-side bus (FSB), aHYPERTRANSPORT (HT) interconnect, an Industry Standard Architecture(ISA) bus, an INFINIBAND interconnect, a low-pin-count (LPC) bus, amemory bus, a Micro Channel Architecture (MCA) bus, a PeripheralComponent Interconnect (PCI) bus, a PCI-Express (PCIe) bus, a serialadvanced technology attachment (SATA) bus, a Video Electronics StandardsAssociation local (VLB) bus, or another suitable bus or a combination oftwo or more of these. Bus 712 may include one or more buses 712, whereappropriate. Although this disclosure describes and illustrates aparticular bus, this disclosure contemplates any suitable bus orinterconnect.

Herein, a computer-readable non-transitory storage medium or media mayinclude one or more semiconductor-based or other types of integratedcircuits (ICs) (such, as for example, field-programmable gate arrays(FPGAs) or application-specific ICs (ASICs)), hard disk drives (HDDs),hybrid hard drives (HHDs), optical discs, optical disc drives (ODDs),magneto-optical discs, magneto-optical drives, floppy diskettes, floppydisk drives (FDDs), magnetic tapes, solid-state drives (SSDs),RAM-drives, SECURE DIGITAL cards or drives, any other suitablecomputer-readable non-transitory storage media, or any suitablecombination of two or more of these, where appropriate. Acomputer-readable non-transitory storage medium may be volatile,non-volatile, or a combination of volatile and non-volatile, whereappropriate.

Herein, “or” is inclusive and not exclusive, unless expressly indicatedotherwise or indicated otherwise by context. Therefore, herein, “A or B”means “A or B, or both,” unless expressly indicated otherwise orindicated otherwise by context. Moreover, “and” is both joint andseveral, unless expressly indicated otherwise or indicated otherwise bycontext. Therefore, herein, “A and B” means “A and B, jointly orseverally,” unless expressly indicated otherwise or indicated otherwiseby context.

Methods described herein may vary in accordance with the presentdisclosure. Various embodiments of this disclosure may repeat one ormore steps of the methods described herein, where appropriate. Althoughthis disclosure describes and illustrates particular steps of certainmethods as occurring in a particular order, this disclosure contemplatesany suitable steps of the methods occurring in any suitable order or inany combination which may include all, some, or none of the steps of themethods. Furthermore, although this disclosure may describe andillustrate particular components, devices, or systems carrying outparticular steps of a method, this disclosure contemplates any suitablecombination of any suitable components, devices, or systems carrying outany suitable steps of the method.

The scope of this disclosure encompasses all changes, substitutions,variations, alterations, and modifications to the example embodimentsdescribed or illustrated herein that a person having ordinary skill inthe art would comprehend. The scope of this disclosure is not limited tothe example embodiments described or illustrated herein. Moreover,although this disclosure describes and illustrates respectiveembodiments herein as including particular components, modules,elements, feature, functions, operations, or steps, any of theseembodiments may include any combination or permutation of any of thecomponents, modules, elements, features, functions, operations, or stepsdescribed or illustrated anywhere herein that a person having ordinaryskill in the art would comprehend. Furthermore, reference in theappended claims to an apparatus or system or a component of an apparatusor system being adapted to, arranged to, capable of, configured to,enabled to, operable to, or operative to perform a particular functionencompasses that apparatus, system, component, whether or not it or thatparticular function is activated, turned on, or unlocked, as long asthat apparatus, system, or component is so adapted, arranged, capable,configured, enabled, operable, or operative. Additionally, although thisdisclosure describes or illustrates particular embodiments as providingparticular advantages, particular embodiments may provide none, some, orall of these advantages.

What is claimed is:
 1. A computer-implemented method comprising:receiving sensor data from a plurality of sensors configured to provideinformation about an environment surrounding a vehicle to at least afirst computing system and a second computing system of the vehicle,wherein the first computing system and the second computing systemgenerate navigation instructions for the vehicle based, at least inpart, on the received sensor data; navigating, by the first computingsystem, the vehicle based, at least in part, on a first plannedtrajectory; transitioning control of the vehicle to the second computingsystem responsive to a failure associated with the first computingsystem; determining, by the second computing system, an emulatedtrajectory according to data describing a current motion of the vehicle,wherein determining the emulated trajectory includes extrapolating thecurrent motion as indicated by a current state of a vehicle motioncontrol component; and navigating, by the second computing system, thevehicle based on the emulated trajectory.
 2. The computer-implementedmethod of claim 1, further comprising: determining, by the secondcomputing system, a second planned trajectory based on the sensor data.3. The computer-implemented method of claim 1, wherein the emulatedtrajectory is generated faster than a time required for the secondcomputing system to generate a new planned trajectory from the sensordata.
 4. The computer-implemented method of claim 1, wherein the vehiclemotion control component includes an actuator that controls one of asteering wheel, a brake, and an accelerator of the vehicle.
 5. Thecomputer-implemented method of claim 1, wherein the failure isdetermined by at least one health monitor associated with the firstcomputing system.
 6. The computer-implemented method of claim 5, whereinthe failure is detected by the health monitor; and in response,transitioning control of the vehicle to the second computing systembased on the failure, wherein the first computing system is a primarycomputing system and the second computing system is a backup computingsystem.
 7. The computer-implemented method of claim 1, wherein the firstcomputing system does not provide the second computing system with thefirst planned trajectory.
 8. The computer-implemented method of claim 4,wherein the vehicle motion control component is configured to control atleast one of a brake, an accelerator, an engine, or a steering wheel,and wherein the emulated trajectory is determined based on informationprovided by the vehicle motion control component.
 9. Thecomputer-implemented method of claim 8, wherein the extrapolation is alinear extrapolation determined based on parameters associated with thevehicle motion control components including at least one of angle,power, speed, torque, or derivatives of the parameters.
 10. Thecomputer-implemented method of claim 9, wherein the linear extrapolationreflects an instantaneous velocity of the vehicle at a time of thetransition of control.
 11. A system comprising: at least one processor;and a memory storing instructions that, when executed by the at leastone processor, cause the system to perform: receiving sensor data from aplurality of sensors configured to provide information about anenvironment surrounding a vehicle to at least a first computing systemand a second computing system of the vehicle, wherein the firstcomputing system and the second computing system generate navigationinstructions for the vehicle based, at least in part, on the receivedsensor data; navigating, by the first computing system, the vehiclebased, at least in part, on a first planned trajectory; transitioningcontrol of the vehicle to the second computing system responsive to afailure associated with the first computing system; determining, by thesecond computing system, an emulated trajectory according to datadescribing a current motion of the vehicle, wherein determining theemulated trajectory includes extrapolating the current motion asindicated by a current state of a vehicle motion control component; andnavigating, by the second computing system, the vehicle based on theemulated trajectory.
 12. The system of claim 11, wherein the emulatedtrajectory is generated faster than a time required for the secondcomputing system to generate a new planned trajectory from the sensordata.
 13. The system of claim 11, wherein the vehicle motion controlcomponent includes an actuator that controls one of a steering wheel, abrake, and an accelerator of the vehicle.
 14. The system of claim 13,wherein at least one vehicle motion control component is configured tocontrol at least one of a brake, an accelerator, an engine, or asteering wheel, and wherein the emulated trajectory is determined basedon information provided by the vehicle motion control component.
 15. Thesystem of claim 14, wherein the extrapolation is a linear extrapolationdetermined based on parameters associated with the vehicle motioncontrol components including at least one of angle, power, speed,torque, or derivatives of the parameters.
 16. A non-transitorycomputer-readable storage medium including instructions that, whenexecuted by at least one processor of a computing system, cause thecomputing system to perform a method comprising: receiving sensor datafrom a plurality of sensors configured to provide information about anenvironment surrounding a vehicle to at least a first computing systemand a second computing system of the vehicle, wherein the firstcomputing system and the second computing system generate navigationinstructions for the vehicle based, at least in part, on the receivedsensor data; navigating, by the first computing system, the vehiclebased, at least in part, on a first planned trajectory; transitioningcontrol of the vehicle to the second computing system response to afailure associated with the first computing system; determining, by thesecond computing system, an emulated trajectory according to datadescribing a current motion of the vehicle, wherein determining theemulated trajectory includes extrapolating the current motion asindicated by a current state of a vehicle motion control component; andnavigating, by the second computing system, the vehicle based on theemulated trajectory.
 17. The non-transitory computer-readable storagemedium of claim 16, wherein the emulated trajectory is generated fasterthan a time required for the second computing system to generate a newplanned trajectory from the sensor data.
 18. The non-transitorycomputer-readable storage medium of claim 16, wherein the vehicle motioncontrol component includes an actuator that controls one of a steeringwheel, a brake, and an accelerator of the vehicle.
 19. Thenon-transitory computer-readable storage medium of claim 18, wherein thevehicle motion control component is configured to control at least oneof a brake, an accelerator, an engine, or a steering wheel, and whereinthe emulated trajectory is determined based on information provided bythe vehicle motion control component.
 20. The non-transitorycomputer-readable storage medium of claim 19, wherein the extrapolationis a linear extrapolation determined based on parameters associated withthe vehicle motion control components including at least one of angle,power, speed, torque, or derivatives of the parameters.